The latest articles on Forem by Antonio Delgado (@antonio_delgado_4df54c9bc). https://forem.com/antonio_delgado_4df54c9bc https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3635471%2Fdf2a64cf-91ef-40cd-82d1-e5f2cdf0e264.png https://forem.com/antonio_delgado_4df54c9bc en Antonio Delgado Sun, 07 Dec 2025 22:07:53 +0000 https://forem.com/antonio_delgado_4df54c9bc/production-ready-code-examples-32n5 https://forem.com/antonio_delgado_4df54c9bc/production-ready-code-examples-32n5 <h1> Production-Ready Code Examples </h1> <p>I'll upgrade all code examples to production quality with realistic naming, error handling, comments, and the evolution real developers go through.</p> <h2> The Database Query That Still Haunts Me </h2> <h3> Version 1: What I Actually Shipped (The Bad One) </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// user-filters.controller.js</span> <span class="c1">// Added by @mike - Sprint 23 - User filtering feature</span> <span class="c1">// TODO: This works but feels slow with lots of filters, revisit if issues</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">PrismaClient</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@prisma/client</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">prisma</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">PrismaClient</span><span class="p">();</span> <span class="cm">/** * GET /api/users/search * Filters users by multiple criteria */</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">searchUsers</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">filters</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">;</span> <span class="c1">// filters = [{ field: 'email', value: 'gmail' }, ...]</span> <span class="k">try</span> <span class="p">{</span> <span class="c1">// Copilot suggested this pattern - seemed clean</span> <span class="kd">const</span> <span class="nx">users</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">prisma</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nf">findMany</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="p">{</span> <span class="na">OR</span><span class="p">:</span> <span class="nx">filters</span><span class="p">.</span><span class="nf">map</span><span class="p">(</span><span class="nx">filter</span> <span class="o">=&gt;</span> <span class="p">({</span> <span class="p">[</span><span class="nx">filter</span><span class="p">.</span><span class="nx">field</span><span class="p">]:</span> <span class="p">{</span> <span class="na">contains</span><span class="p">:</span> <span class="nx">filter</span><span class="p">.</span><span class="nx">value</span> <span class="p">}</span> <span class="p">}))</span> <span class="p">}</span> <span class="p">});</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="nx">users</span><span class="p">,</span> <span class="na">count</span><span class="p">:</span> <span class="nx">users</span><span class="p">.</span><span class="nx">length</span> <span class="p">});</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// FIXME: Error handling is too generic</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Search failed:</span><span class="dl">'</span><span class="p">,</span> <span class="nx">error</span><span class="p">);</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">500</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Search failed</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>What's wrong:</strong></p> <ul> <li>No validation on <code>filters</code> input</li> <li> <code>contains</code> does case-sensitive search (users complained about this)</li> <li>Full table scan for each OR condition</li> <li>No pagination</li> <li>Error logging with <code>console.error</code> instead of proper logger</li> <li>Returns all user data including sensitive fields</li> </ul> <h3> Version 2: After Performance Issues Hit Production </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// user-filters.controller.js</span> <span class="c1">// Updated by @mike - Sprint 26 - Performance fixes after incident #2847</span> <span class="c1">// Context: Dashboard timing out with &gt;100 users, support tickets piling up</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">PrismaClient</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@prisma/client</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">logger</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../utils/logger.js</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">ValidationError</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../errors/index.js</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">prisma</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">PrismaClient</span><span class="p">();</span> <span class="c1">// Allowed fields to prevent SQL injection via dynamic field names</span> <span class="kd">const</span> <span class="nx">SEARCHABLE_FIELDS</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Set</span><span class="p">([</span> <span class="dl">'</span><span class="s1">email</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">username</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">firstName</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">lastName</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">department</span><span class="dl">'</span> <span class="p">]);</span> <span class="cm">/** * GET /api/users/search * Filters users by multiple criteria with pagination * * @param {Array} filters - Array of {field, value} objects * @param {Number} page - Page number (default: 1) * @param {Number} limit - Results per page (default: 50, max: 100) */</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">searchUsers</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">filters</span> <span class="o">=</span> <span class="p">[],</span> <span class="nx">page</span> <span class="o">=</span> <span class="mi">1</span><span class="p">,</span> <span class="nx">limit</span> <span class="o">=</span> <span class="mi">50</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">;</span> <span class="c1">// Input validation - learned this the hard way</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nb">Array</span><span class="p">.</span><span class="nf">isArray</span><span class="p">(</span><span class="nx">filters</span><span class="p">))</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">ValidationError</span><span class="p">(</span><span class="dl">'</span><span class="s1">filters must be an array</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="nx">filters</span><span class="p">.</span><span class="nx">length</span> <span class="o">===</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">users</span><span class="p">:</span> <span class="p">[],</span> <span class="na">count</span><span class="p">:</span> <span class="mi">0</span><span class="p">,</span> <span class="nx">page</span><span class="p">,</span> <span class="na">totalPages</span><span class="p">:</span> <span class="mi">0</span> <span class="p">});</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="nx">filters</span><span class="p">.</span><span class="nx">length</span> <span class="o">&gt;</span> <span class="mi">10</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">ValidationError</span><span class="p">(</span><span class="dl">'</span><span class="s1">Maximum 10 filters allowed</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// Validate each filter</span> <span class="kd">const</span> <span class="nx">validatedFilters</span> <span class="o">=</span> <span class="nx">filters</span><span class="p">.</span><span class="nf">map</span><span class="p">((</span><span class="nx">filter</span><span class="p">,</span> <span class="nx">index</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">filter</span><span class="p">.</span><span class="nx">field</span> <span class="o">||</span> <span class="o">!</span><span class="nx">filter</span><span class="p">.</span><span class="nx">value</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">ValidationError</span><span class="p">(</span> <span class="s2">`Filter at index </span><span class="p">${</span><span class="nx">index</span><span class="p">}</span><span class="s2"> missing required fields`</span> <span class="p">);</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">SEARCHABLE_FIELDS</span><span class="p">.</span><span class="nf">has</span><span class="p">(</span><span class="nx">filter</span><span class="p">.</span><span class="nx">field</span><span class="p">))</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">ValidationError</span><span class="p">(</span> <span class="s2">`Field "</span><span class="p">${</span><span class="nx">filter</span><span class="p">.</span><span class="nx">field</span><span class="p">}</span><span class="s2">" is not searchable. `</span> <span class="o">+</span> <span class="s2">`Allowed fields: </span><span class="p">${</span><span class="nb">Array</span><span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="nx">SEARCHABLE_FIELDS</span><span class="p">).</span><span class="nf">join</span><span class="p">(</span><span class="dl">'</span><span class="s1">, </span><span class="dl">'</span><span class="p">)}</span><span class="s2">`</span> <span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="p">{</span> <span class="na">field</span><span class="p">:</span> <span class="nx">filter</span><span class="p">.</span><span class="nx">field</span><span class="p">,</span> <span class="na">value</span><span class="p">:</span> <span class="nc">String</span><span class="p">(</span><span class="nx">filter</span><span class="p">.</span><span class="nx">value</span><span class="p">).</span><span class="nf">trim</span><span class="p">()</span> <span class="p">};</span> <span class="p">});</span> <span class="c1">// Build where clause - this is the part that actually got fixed</span> <span class="c1">// Old way: OR with contains on each field = disaster</span> <span class="c1">// New way: Compound AND with proper indexes</span> <span class="kd">const</span> <span class="nx">whereConditions</span> <span class="o">=</span> <span class="nx">validatedFilters</span><span class="p">.</span><span class="nf">reduce</span><span class="p">((</span><span class="nx">conditions</span><span class="p">,</span> <span class="nx">filter</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// Case-insensitive search - users kept complaining about this</span> <span class="nx">conditions</span><span class="p">[</span><span class="nx">filter</span><span class="p">.</span><span class="nx">field</span><span class="p">]</span> <span class="o">=</span> <span class="p">{</span> <span class="na">contains</span><span class="p">:</span> <span class="nx">filter</span><span class="p">.</span><span class="nx">value</span><span class="p">,</span> <span class="na">mode</span><span class="p">:</span> <span class="dl">'</span><span class="s1">insensitive</span><span class="dl">'</span> <span class="p">};</span> <span class="k">return</span> <span class="nx">conditions</span><span class="p">;</span> <span class="p">},</span> <span class="p">{});</span> <span class="c1">// Get total count for pagination (separate query, but cached)</span> <span class="kd">const</span> <span class="nx">totalCount</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">prisma</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nf">count</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="nx">whereConditions</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">totalPages</span> <span class="o">=</span> <span class="nb">Math</span><span class="p">.</span><span class="nf">ceil</span><span class="p">(</span><span class="nx">totalCount</span> <span class="o">/</span> <span class="nb">Math</span><span class="p">.</span><span class="nf">min</span><span class="p">(</span><span class="nx">limit</span><span class="p">,</span> <span class="mi">100</span><span class="p">));</span> <span class="kd">const</span> <span class="nx">offset</span> <span class="o">=</span> <span class="p">(</span><span class="nx">page</span> <span class="o">-</span> <span class="mi">1</span><span class="p">)</span> <span class="o">*</span> <span class="nx">limit</span><span class="p">;</span> <span class="c1">// Actual query with proper pagination and field selection</span> <span class="kd">const</span> <span class="nx">users</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">prisma</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nf">findMany</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="nx">whereConditions</span><span class="p">,</span> <span class="na">select</span><span class="p">:</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">email</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">username</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">firstName</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">lastName</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">department</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">createdAt</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="c1">// Don't return password hash, lastLoginIp, etc.</span> <span class="p">},</span> <span class="na">take</span><span class="p">:</span> <span class="nb">Math</span><span class="p">.</span><span class="nf">min</span><span class="p">(</span><span class="nx">limit</span><span class="p">,</span> <span class="mi">100</span><span class="p">),</span> <span class="c1">// Hard cap at 100</span> <span class="na">skip</span><span class="p">:</span> <span class="nx">offset</span><span class="p">,</span> <span class="na">orderBy</span><span class="p">:</span> <span class="p">{</span> <span class="na">createdAt</span><span class="p">:</span> <span class="dl">'</span><span class="s1">desc</span><span class="dl">'</span> <span class="p">}</span> <span class="p">});</span> <span class="c1">// Log for debugging slow queries</span> <span class="k">if </span><span class="p">(</span><span class="nx">users</span><span class="p">.</span><span class="nx">length</span> <span class="o">&gt;</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> <span class="nx">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="dl">'</span><span class="s1">User search completed</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">filterCount</span><span class="p">:</span> <span class="nx">validatedFilters</span><span class="p">.</span><span class="nx">length</span><span class="p">,</span> <span class="na">resultCount</span><span class="p">:</span> <span class="nx">users</span><span class="p">.</span><span class="nx">length</span><span class="p">,</span> <span class="nx">page</span><span class="p">,</span> <span class="na">executionTime</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">()</span> <span class="o">-</span> <span class="nx">req</span><span class="p">.</span><span class="nx">startTime</span><span class="p">}</span><span class="s2">ms`</span> <span class="c1">// Added in middleware</span> <span class="p">});</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="nx">users</span><span class="p">,</span> <span class="na">count</span><span class="p">:</span> <span class="nx">users</span><span class="p">.</span><span class="nx">length</span><span class="p">,</span> <span class="nx">totalCount</span><span class="p">,</span> <span class="na">page</span><span class="p">:</span> <span class="nc">Number</span><span class="p">(</span><span class="nx">page</span><span class="p">),</span> <span class="nx">totalPages</span><span class="p">,</span> <span class="na">hasMore</span><span class="p">:</span> <span class="nx">page</span> <span class="o">&lt;</span> <span class="nx">totalPages</span> <span class="p">});</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">error</span> <span class="k">instanceof</span> <span class="nx">ValidationError</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">400</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="nx">error</span><span class="p">.</span><span class="nx">message</span><span class="p">,</span> <span class="na">code</span><span class="p">:</span> <span class="dl">'</span><span class="s1">VALIDATION_ERROR</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="c1">// Log actual errors for debugging</span> <span class="nx">logger</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">'</span><span class="s1">User search failed</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">error</span><span class="p">:</span> <span class="nx">error</span><span class="p">.</span><span class="nx">message</span><span class="p">,</span> <span class="na">stack</span><span class="p">:</span> <span class="nx">error</span><span class="p">.</span><span class="nx">stack</span><span class="p">,</span> <span class="na">filters</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">.</span><span class="nx">filters</span><span class="p">,</span> <span class="na">userId</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">user</span><span class="p">?.</span><span class="nx">id</span> <span class="c1">// Added after auth middleware</span> <span class="p">});</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">500</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">An error occurred while searching users</span><span class="dl">'</span><span class="p">,</span> <span class="na">code</span><span class="p">:</span> <span class="dl">'</span><span class="s1">SEARCH_ERROR</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>Migration required:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Added after performance incident</span> <span class="c1">-- Reduced query time from ~3000ms to ~50ms with 50k users</span> <span class="k">CREATE</span> <span class="k">INDEX</span> <span class="n">idx_user_email_trgm</span> <span class="k">ON</span> <span class="n">users</span> <span class="k">USING</span> <span class="n">gin</span> <span class="p">(</span><span class="n">email</span> <span class="n">gin_trgm_ops</span><span class="p">);</span> <span class="k">CREATE</span> <span class="k">INDEX</span> <span class="n">idx_user_username_trgm</span> <span class="k">ON</span> <span class="n">users</span> <span class="k">USING</span> <span class="n">gin</span> <span class="p">(</span><span class="n">username</span> <span class="n">gin_trgm_ops</span><span class="p">);</span> <span class="k">CREATE</span> <span class="k">INDEX</span> <span class="n">idx_user_firstname_trgm</span> <span class="k">ON</span> <span class="n">users</span> <span class="k">USING</span> <span class="n">gin</span> <span class="p">(</span><span class="n">first_name</span> <span class="n">gin_trgm_ops</span><span class="p">);</span> <span class="k">CREATE</span> <span class="k">INDEX</span> <span class="n">idx_user_lastname_trgm</span> <span class="k">ON</span> <span class="n">users</span> <span class="k">USING</span> <span class="n">gin</span> <span class="p">(</span><span class="n">last_name</span> <span class="n">gin_trgm_ops</span><span class="p">);</span> <span class="k">CREATE</span> <span class="k">INDEX</span> <span class="n">idx_user_department</span> <span class="k">ON</span> <span class="n">users</span> <span class="p">(</span><span class="n">department</span><span class="p">);</span> <span class="c1">-- Enable trigram extension for fuzzy matching</span> <span class="k">CREATE</span> <span class="n">EXTENSION</span> <span class="n">IF</span> <span class="k">NOT</span> <span class="k">EXISTS</span> <span class="n">pg_trgm</span><span class="p">;</span> </code></pre> </div> <h2> .cursorrules for FastAPI Projects (Real Production Version) </h2> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># .cursorrules # FastAPI Backend Rules - Updated 2024-01-15 # Team: Backend Squad | Maintainer: @sarah # # This file teaches Cursor our conventions so we stop fixing the same # things in every PR. If you update this, ping #backend-squad. </span> <span class="c1">## Tech Stack &amp; Versions # We're locked to these versions until Q2 upgrade sprint </span><span class="o">-</span> <span class="n">Python</span> <span class="mf">3.11</span><span class="p">.</span><span class="mi">7</span> <span class="o">-</span> <span class="n">fastapi</span><span class="o">==</span><span class="mf">0.104</span><span class="p">.</span><span class="mi">1</span> <span class="o">-</span> <span class="n">pydantic</span><span class="o">==</span><span class="mf">2.5</span><span class="p">.</span><span class="mi">0</span> <span class="o">-</span> <span class="n">sqlalchemy</span><span class="o">==</span><span class="mf">2.0</span><span class="p">.</span><span class="mi">23</span> <span class="o">-</span> <span class="n">alembic</span><span class="o">==</span><span class="mf">1.13</span><span class="p">.</span><span class="mi">0</span> <span class="o">-</span> <span class="n">pytest</span><span class="o">==</span><span class="mf">7.4</span><span class="p">.</span><span class="mi">3</span> <span class="o">-</span> <span class="n">pytest</span><span class="o">-</span><span class="n">asyncio</span><span class="o">==</span><span class="mf">0.21</span><span class="p">.</span><span class="mi">1</span> <span class="o">-</span> <span class="n">redis</span><span class="o">==</span><span class="mf">5.0</span><span class="p">.</span><span class="mi">1</span> <span class="o">-</span> <span class="n">celery</span><span class="o">==</span><span class="mf">5.3</span><span class="p">.</span><span class="mi">4</span> <span class="c1">## Code Style (Non-Negotiable) </span><span class="o">-</span> <span class="n">Type</span> <span class="n">hints</span> <span class="n">are</span> <span class="n">MANDATORY</span><span class="p">.</span> <span class="n">No</span> <span class="n">exceptions</span><span class="p">.</span> <span class="n">PR</span> <span class="n">will</span> <span class="n">be</span> <span class="n">rejected</span><span class="p">.</span> <span class="o">-</span> <span class="n">Use</span> <span class="n">Pydantic</span> <span class="n">v2</span> <span class="k">for</span> <span class="nb">all</span> <span class="n">request</span><span class="o">/</span><span class="n">response</span> <span class="nf">models </span><span class="p">(</span><span class="ow">not</span> <span class="n">v1</span> <span class="n">syntax</span><span class="err">!</span><span class="p">)</span> <span class="o">-</span> <span class="n">Async</span><span class="o">/</span><span class="k">await</span> <span class="k">for</span> <span class="nb">all</span> <span class="n">I</span><span class="o">/</span><span class="n">O</span> <span class="nf">operations </span><span class="p">(</span><span class="n">database</span><span class="p">,</span> <span class="n">Redis</span><span class="p">,</span> <span class="n">external</span> <span class="n">APIs</span><span class="p">)</span> <span class="o">-</span> <span class="n">Use</span> <span class="sb">`snake_case`</span> <span class="k">for</span> <span class="n">variables</span> <span class="ow">and</span> <span class="nf">functions </span><span class="p">(</span><span class="ow">not</span> <span class="n">camelCase</span><span class="p">)</span> <span class="o">-</span> <span class="n">Max</span> <span class="n">line</span> <span class="n">length</span><span class="p">:</span> <span class="mi">100</span> <span class="nf">characters </span><span class="p">(</span><span class="n">formatter</span> <span class="n">will</span> <span class="n">enforce</span><span class="p">)</span> <span class="o">-</span> <span class="n">Docstrings</span><span class="p">:</span> <span class="n">Google</span> <span class="n">style</span><span class="p">,</span> <span class="ow">not</span> <span class="n">NumPy</span> <span class="n">style</span> <span class="c1">## Project Structure (Don't Deviate Without Approval) </span></code></pre> </div> <p>/app<br> /api<br> /v1<br> /routes # Route definitions only, no business logic<br> - user_routes.py<br> - auth_routes.py<br> /dependencies # FastAPI dependencies (auth, db sessions)<br> /middleware # Custom middleware<br> /core<br> /config.py # Environment config (uses pydantic-settings)<br> /security.py # Auth helpers, password hashing<br> /database.py # SQLAlchemy setup<br> /models # SQLAlchemy ORM models<br> /schemas # Pydantic request/response schemas<br> /services # Business logic layer (route → service → repository)<br> /repositories # Database access layer (one per model)<br> /tasks # Celery tasks for async jobs<br> /utils # Helpers, formatters, etc.<br> /tests<br> /unit<br> /integration<br> /alembic # Database migrations<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> ## Critical Patterns (Read This Before Generating Code) ### 1. Database Sessions - ALWAYS Use Dependency Injection </code></pre> </div> <p><br> python</p> <h1> ✅ CORRECT - Use this pattern </h1> <p>from app.core.database import get_db<br> from sqlalchemy.ext.asyncio import AsyncSession</p> <p>@router.get("/users/{user_id}")<br> async def get_user(<br> user_id: int,<br> db: AsyncSession = Depends(get_db) # DI, not global<br> ):<br> user = await user_repository.get_by_id(db, user_id)<br> return user</p> <h1> ❌ WRONG - Never do this </h1> <h1> global_db = SessionLocal() # NO! This breaks in async context </h1> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> ### 2. Authentication - Secure by Default </code></pre> </div> <p><br> python</p> <h1> ✅ CORRECT - Routes require auth unless explicitly marked public </h1> <p>@router.get("/profile")<br> async def get_profile(<br> current_user: User = Depends(get_current_user) # Auth required<br> ):<br> return current_user</p> <p>@router.get("/health")<br> @public_route # Explicit opt-out decorator<br> async def health_check():<br> return {"status": "healthy"}</p> <h1> ❌ WRONG - Don't make auth optional by default </h1> <h1> async def get_profile(current_user: User | None = Depends(get_current_user_optional)) </h1> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> ### 3. Error Handling - Proper HTTP Status Codes </code></pre> </div> <p><br> python</p> <h1> ✅ CORRECT - Use specific exceptions </h1> <p>from fastapi import HTTPException, status</p> <p>if not user:<br> raise HTTPException(<br> status_code=status.HTTP_404_NOT_FOUND,<br> detail=f"User {user_id} not found" # Helpful message<br> )</p> <p>if not user.is_active:<br> raise HTTPException(<br> status_code=status.HTTP_403_FORBIDDEN,<br> detail="Account is deactivated"<br> )</p> <h1> ❌ WRONG - Generic 400 for everything </h1> <h1> raise HTTPException(status_code=400, detail="Error") </h1> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> ### 4. Response Models - Always Specify </code></pre> </div> <p><br> python</p> <h1> ✅ CORRECT - Explicit response model </h1> <p>@router.get("/users/{user_id}", response_model=UserResponse)<br> async def get_user(user_id: int, db: AsyncSession = Depends(get_db)):<br> user = await user_service.get_user(db, user_id)<br> return user # Auto-validated and serialized</p> <h1> ❌ WRONG - No response model = returns raw SQLAlchemy objects </h1> <h1> @router.get("/users/{user_id}") # Missing response_model </h1> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> ### 5. Logging - Use Structured Logging </code></pre> </div> <p><br> python</p> <h1> ✅ CORRECT - Use logger with context </h1> <p>import logging<br> from app.core.logging_config import get_logger</p> <p>logger = get_logger(<strong>name</strong>)</p> <p>@router.post("/orders")<br> async def create_order(order_data: OrderCreate, db: AsyncSession = Depends(get_db)):<br> logger.info(<br> "Creating order",<br> extra={<br> "user_id": order_data.user_id,<br> "product_count": len(order_data.items),<br> "total_amount": order_data.total<br> }<br> )<br> # ... create order ...</p> <h1> ❌ WRONG - print() statements </h1> <h1> print(f"Order created: {order.id}") # NO! Use logger </h1> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> ### 6. Environment Variables - Type-Safe Config </code></pre> </div> <p><br> python</p> <h1> ✅ CORRECT - Pydantic settings model </h1> <p>from pydantic_settings import BaseSettings</p> <p>class Settings(BaseSettings):<br> DATABASE_URL: str<br> REDIS_URL: str<br> SECRET_KEY: str<br> DEBUG: bool = False<br> API_RATE_LIMIT: int = 100</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>model_config = { "env_file": ".env", "env_file_encoding": "utf-8", "case_sensitive": True } </code></pre> </div> <p>settings = Settings() # Validates on startup</p> <h1> ❌ WRONG - Raw os.getenv() </h1> <h1> import os </h1> <h1> DB_URL = os.getenv("DATABASE_URL") # No validation, can be None </h1> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> ## Testing Requirements ### Unit Tests </code></pre> </div> <p><br> python</p> <h1> ✅ CORRECT - Test services in isolation </h1> <p>import pytest<br> from unittest.mock import AsyncMock</p> <p>@pytest.mark.asyncio<br> async def test_create_user_success():<br> # Mock the repository layer<br> mock_repo = AsyncMock()<br> mock_repo.create.return_value = User(id=1, email="<a href="mailto:test@example.com">test@example.com</a>")</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>service = UserService(mock_repo) result = await service.create_user(UserCreate(email="test@example.com")) assert result.id == 1 mock_repo.create.assert_called_once() </code></pre> </div> <h1> ❌ WRONG - Testing route handlers directly (that's integration testing) </h1> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> ### Integration Tests </code></pre> </div> <p><br> python</p> <h1> ✅ CORRECT - Test full request/response cycle </h1> <p>from httpx import AsyncClient</p> <p>@pytest.mark.asyncio<br> async def test_user_registration_endpoint(client: AsyncClient):<br> response = await client.post(<br> "/api/v1/auth/register",<br> json={"email": "<a href="mailto:new@example.com">new@example.com</a>", "password": "secure123"}<br> )</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>assert response.status_code == 201 assert "id" in response.json() assert response.json()["email"] == "new@example.com" </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> ## What to NEVER Do (Seriously) ### ❌ Don't Mix Business Logic into Route Handlers </code></pre> </div> <p><br> python</p> <h1> WRONG - Route doing too much </h1> <p>@router.post("/orders")<br> async def create_order(order: OrderCreate, db: AsyncSession = Depends(get_db)):<br> # Validate inventory<br> product = await db.execute(...)<br> if product.stock &lt; order.quantity:<br> raise HTTPException(400, "Out of stock")</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># Calculate pricing price = product.price * order.quantity if order.discount_code: discount = await db.execute(...) price = price * (1 - discount.percentage) # ... 50 more lines of logic ... </code></pre> </div> <h1> CORRECT - Route delegates to service </h1> <p>@router.post("/orders")<br> async def create_order(<br> order: OrderCreate,<br> db: AsyncSession = Depends(get_db),<br> current_user: User = Depends(get_current_user)<br> ):<br> result = await order_service.create_order(db, order, current_user)<br> return result<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> ### ❌ Don't Use `print()` for Logging </code></pre> </div> <p><br> python</p> <h1> WRONG </h1> <p>print(f"User {user_id} logged in")</p> <h1> CORRECT </h1> <p>logger.info("User logged in", extra={"user_id": user_id})<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> ### ❌ Don't Store Secrets in Code </code></pre> </div> <p><br> python</p> <h1> WRONG </h1> <p>SECRET_KEY = "hardcoded-secret-key-123"<br> DATABASE_URL = "postgresql://user:password@localhost/db"</p> <h1> CORRECT - Use environment variables </h1> <p>from app.core.config import settings<br> SECRET_KEY = settings.SECRET_KEY<br> DATABASE_URL = settings.DATABASE_URL<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> ### ❌ Don't Skip Input Validation </code></pre> </div> <p><br> python</p> <h1> WRONG - Trusting user input </h1> <p>@router.post("/users")<br> async def create_user(email: str, password: str): # Raw strings, no validation<br> # ... create user ...</p> <h1> CORRECT - Pydantic validates everything </h1> <p>@router.post("/users", response_model=UserResponse)<br> async def create_user(user_data: UserCreate): # Pydantic model with validation<br> # user_data.email is already validated as email format<br> # user_data.password meets minimum length requirements<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> ### ❌ Don't Return SQLAlchemy Models Directly </code></pre> </div> <p><br> python</p> <h1> WRONG - Exposes internal model structure and relationships </h1> <p>@router.get("/users/{user_id}")<br> async def get_user(user_id: int, db: AsyncSession = Depends(get_db)):<br> user = await db.get(User, user_id)<br> return user # SQLAlchemy model with lazy-loaded relationships</p> <h1> CORRECT - Use Pydantic response schemas </h1> <p>@router.get("/users/{user_id}", response_model=UserResponse)<br> async def get_user(user_id: int, db: AsyncSession = Depends(get_db)):<br> user = await user_repository.get_by_id(db, user_id)<br> return UserResponse.model_validate(user) # Pydantic v2 syntax<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> ## Performance Rules 1. **Always use connection pooling** - Already configured in core/database.py 2. **Index foreign keys** - Alembic migrations should include indexes 3. **Use select/join loading** - Avoid N+1 queries with SQLAlchemy relationships 4. **Cache frequently accessed data** - Use Redis with 5-minute default TTL 5. **Async everywhere** - If it does I/O, it must be async ## When in Doubt 1. Check existing code in the same module 2. Ask in #backend-squad Slack channel 3. Look at our API documentation: https://docs.internal/api-guidelines 4. Copy patterns from `app/api/v1/routes/user_routes.py` (our reference implementation) ## Last Updated: 2024-01-15 ## Questions? Ask @sarah or @mike in #backend-squad </code></pre> </div> <h2> Realistic .cursorrules Template </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># .cursorrules Template</span> <span class="c"># Copy this to your project root and customize for your team</span> <span class="c">## Project Context</span> <span class="c"># Project: [Your Project Name]</span> <span class="c"># Primary Language: [Python/TypeScript/Go/etc]</span> <span class="c"># Framework: [FastAPI/Express/Django/etc]</span> <span class="c"># Team Size: [Number]</span> <span class="c"># Last Updated: [Date]</span> <span class="c">## Tech Stack</span> <span class="c"># Be specific with versions - prevents AI suggesting deprecated syntax</span> - <span class="o">[</span>framework]<span class="o">==[</span>version] - <span class="o">[</span>database_lib]<span class="o">==[</span>version] - <span class="o">[</span>orm]<span class="o">==[</span>version] <span class="c"># Example: fastapi==0.104.1, not just "FastAPI"</span> <span class="c">## Code Style (Pick One and Stick With It)</span> <span class="c"># Don't say "follow PEP8" - be specific about YOUR choices</span> - Indentation: <span class="o">[</span>spaces/tabs] <span class="o">[</span>how many] - Line length: <span class="o">[</span>80/100/120] characters - Quotes: <span class="o">[</span>single/double] quotes <span class="k">for </span>strings - Naming: <span class="o">[</span>camelCase/snake_case/PascalCase] <span class="k">for</span> <span class="o">[</span>what] - Type hints: <span class="o">[</span>required/optional/forbidden] - Comments: <span class="o">[</span>where you want them and where you don<span class="s1">'t] ## Project Structure # Paste your actual directory tree - AI uses this for imports </span></code></pre> </div> <p>/src<br> /[module_name]<br> /[subfolder]<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> ## Architecture Patterns ### [Pattern Name] - [When to Use It] </code></pre> </div> <p><br> [language]</p> <h1> ✅ CORRECT - Show the pattern you WANT </h1> <p>[your preferred code example]</p> <h1> ❌ WRONG - Show what you DON'T want (AI learns from negatives) </h1> <p>[anti-pattern you keep seeing in PRs]<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> ### [Another Pattern] </code></pre> </div> <p><br> [language]</p> <h1> Include comments explaining WHY, not just WHAT </h1> <h1> "We use X because Y keeps breaking in production" </h1> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> ## Testing Requirements - Test framework: [pytest/jest/etc] - Coverage requirement: [percentage or "no hard requirement"] - What must be tested: [list specific things] - What can skip tests: [scripts, configs, etc] ## Common Mistakes to Avoid # This section saves hours in PR reviews - [ ] Don't [common mistake #1] - [ ] Don't [common mistake #2] - [ ] Always [thing people forget] ## Dependencies &amp; Environment </code></pre> </div> <p><br> bash</p> <h1> How to install everything (so AI can reference correct versions) </h1> <p>[your actual setup commands]<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> ## Gotchas in This Codebase # The stuff that only exists in YOUR code - [Legacy pattern you're stuck with]: [explanation] - [Weird workaround]: [why it exists] - [That one file nobody touches]: [what it does] ## External Services # So AI knows what's available - Database: [type, how to connect] - Cache: [Redis/Memcached/etc, connection pattern] - Message Queue: [if applicable] - Auth: [JWT/OAuth/session, where configured] ## When in Doubt 1. [Where to check existing examples] 2. [Who to ask] 3. [Documentation link] ## Notes # Anything else that doesn't fit above but matters </code></pre> </div> <h2> Real Example: The Rate Limiting Implementation </h2> <h3> Initial Attempt (What Copilot Suggested) </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// api/middleware/rate-limit.ts</span> <span class="c1">// Added: 2024-01-10 - Sprint 28 - Security requirement from InfoSec</span> <span class="c1">// Context: Need to prevent API abuse after bot attack last week</span> <span class="k">import</span> <span class="nx">rateLimit</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">express-rate-limit</span><span class="dl">'</span><span class="p">;</span> <span class="c1">// Copilot generated this - seemed reasonable at first</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">apiLimiter</span> <span class="o">=</span> <span class="nf">rateLimit</span><span class="p">({</span> <span class="na">windowMs</span><span class="p">:</span> <span class="mi">15</span> <span class="o">*</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">1000</span><span class="p">,</span> <span class="c1">// 15 minutes</span> <span class="na">max</span><span class="p">:</span> <span class="mi">100</span><span class="p">,</span> <span class="c1">// limit each IP to 100 requests per windowMs</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Too many requests</span><span class="dl">'</span> <span class="p">});</span> <span class="c1">// Applied to all routes</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/</span><span class="dl">'</span><span class="p">,</span> <span class="nx">apiLimiter</span><span class="p">);</span> </code></pre> </div> <p><strong>Problems found in code review:</strong></p> <ul> <li>No differentiation between endpoints (login same as health check)</li> <li>IP-based limiting breaks behind load balancer</li> <li>No way to allowlist internal services</li> <li>Generic error message doesn't tell user when to retry</li> </ul> <h3> Second Attempt (After Code Review) </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// api/middleware/rate-limit.ts</span> <span class="c1">// Updated: 2024-01-12 - Incorporated feedback from code review</span> <span class="c1">// Reviewers: @sarah, @tom</span> <span class="c1">// TODO: Add Redis store once we set up cluster (using memory for now)</span> <span class="k">import</span> <span class="nx">rateLimit</span><span class="p">,</span> <span class="p">{</span> <span class="nx">Options</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">express-rate-limit</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Request</span><span class="p">,</span> <span class="nx">Response</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">express</span><span class="dl">'</span><span class="p">;</span> <span class="c1">// Get real IP behind load balancer</span> <span class="c1">// Our LB sets X-Forwarded-For header</span> <span class="kd">function</span> <span class="nf">getClientIp</span><span class="p">(</span><span class="nx">req</span><span class="p">:</span> <span class="nx">Request</span><span class="p">):</span> <span class="kr">string</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">forwardedFor</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">[</span><span class="dl">'</span><span class="s1">x-forwarded-for</span><span class="dl">'</span><span class="p">];</span> <span class="k">if </span><span class="p">(</span><span class="k">typeof</span> <span class="nx">forwardedFor</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">string</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// First IP in the chain is the original client</span> <span class="k">return</span> <span class="nx">forwardedFor</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="dl">'</span><span class="s1">,</span><span class="dl">'</span><span class="p">)[</span><span class="mi">0</span><span class="p">].</span><span class="nf">trim</span><span class="p">();</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">req</span><span class="p">.</span><span class="nx">ip</span> <span class="o">||</span> <span class="nx">req</span><span class="p">.</span><span class="nx">socket</span><span class="p">.</span><span class="nx">remoteAddress</span> <span class="o">||</span> <span class="dl">'</span><span class="s1">unknown</span><span class="dl">'</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// Different limits for different endpoint types</span> <span class="kd">const</span> <span class="nx">rateLimitConfigs</span><span class="p">:</span> <span class="nb">Record</span><span class="o">&lt;</span><span class="kr">string</span><span class="p">,</span> <span class="nb">Partial</span><span class="o">&lt;</span><span class="nx">Options</span><span class="o">&gt;&gt;</span> <span class="o">=</span> <span class="p">{</span> <span class="c1">// Strict limits for auth endpoints (prevent brute force)</span> <span class="na">auth</span><span class="p">:</span> <span class="p">{</span> <span class="na">windowMs</span><span class="p">:</span> <span class="mi">15</span> <span class="o">*</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">1000</span><span class="p">,</span> <span class="c1">// 15 minutes</span> <span class="na">max</span><span class="p">:</span> <span class="mi">5</span><span class="p">,</span> <span class="c1">// 5 attempts per 15 min</span> <span class="na">message</span><span class="p">:</span> <span class="p">{</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Too many authentication attempts</span><span class="dl">'</span><span class="p">,</span> <span class="na">retryAfter</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Please try again in 15 minutes</span><span class="dl">'</span> <span class="p">},</span> <span class="na">standardHeaders</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="c1">// Return rate limit info in headers</span> <span class="na">legacyHeaders</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="p">},</span> <span class="c1">// Moderate limits for data modification</span> <span class="na">mutation</span><span class="p">:</span> <span class="p">{</span> <span class="na">windowMs</span><span class="p">:</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">1000</span><span class="p">,</span> <span class="c1">// 1 minute</span> <span class="na">max</span><span class="p">:</span> <span class="mi">30</span><span class="p">,</span> <span class="c1">// 30 requests per minute</span> <span class="na">message</span><span class="p">:</span> <span class="p">{</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Rate limit exceeded</span><span class="dl">'</span><span class="p">,</span> <span class="na">retryAfter</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Please wait a minute before trying again</span><span class="dl">'</span> <span class="p">}</span> <span class="p">},</span> <span class="c1">// Relaxed limits for read operations</span> <span class="na">query</span><span class="p">:</span> <span class="p">{</span> <span class="na">windowMs</span><span class="p">:</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">1000</span><span class="p">,</span> <span class="c1">// 1 minute </span> <span class="na">max</span><span class="p">:</span> <span class="mi">100</span><span class="p">,</span> <span class="c1">// 100 requests per minute</span> <span class="na">message</span><span class="p">:</span> <span class="p">{</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Rate limit exceeded</span><span class="dl">'</span><span class="p">,</span> <span class="na">retryAfter</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Please slow down your requests</span><span class="dl">'</span> <span class="p">}</span> <span class="p">}</span> <span class="p">};</span> <span class="c1">// Create rate limiters for each category</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">authLimiter</span> <span class="o">=</span> <span class="nf">rateLimit</span><span class="p">({</span> <span class="p">...</span><span class="nx">rateLimitConfigs</span><span class="p">.</span><span class="nx">auth</span><span class="p">,</span> <span class="na">keyGenerator</span><span class="p">:</span> <span class="nx">getClientIp</span><span class="p">,</span> <span class="c1">// Skip rate limiting for internal services</span> <span class="na">skip</span><span class="p">:</span> <span class="p">(</span><span class="na">req</span><span class="p">:</span> <span class="nx">Request</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">apiKey</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">[</span><span class="dl">'</span><span class="s1">x-api-key</span><span class="dl">'</span><span class="p">];</span> <span class="k">return</span> <span class="nx">apiKey</span> <span class="o">===</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">INTERNAL_SERVICE_KEY</span><span class="p">;</span> <span class="p">}</span> <span class="p">});</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">mutationLimiter</span> <span class="o">=</span> <span class="nf">rateLimit</span><span class="p">({</span> <span class="p">...</span><span class="nx">rateLimitConfigs</span><span class="p">.</span><span class="nx">mutation</span><span class="p">,</span> <span class="na">keyGenerator</span><span class="p">:</span> <span class="nx">getClientIp</span><span class="p">,</span> <span class="na">skip</span><span class="p">:</span> <span class="p">(</span><span class="na">req</span><span class="p">:</span> <span class="nx">Request</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">apiKey</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">[</span><span class="dl">'</span><span class="s1">x-api-key</span><span class="dl">'</span><span class="p">];</span> <span class="k">return</span> <span class="nx">apiKey</span> <span class="o">===</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">INTERNAL_SERVICE_KEY</span><span class="p">;</span> <span class="p">}</span> <span class="p">});</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">queryLimiter</span> <span class="o">=</span> <span class="nf">rateLimit</span><span class="p">({</span> <span class="p">...</span><span class="nx">rateLimitConfigs</span><span class="p">.</span><span class="nx">query</span><span class="p">,</span> <span class="na">keyGenerator</span><span class="p">:</span> <span class="nx">getClientIp</span><span class="p">,</span> <span class="na">skip</span><span class="p">:</span> <span class="p">(</span><span class="na">req</span><span class="p">:</span> <span class="nx">Request</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">apiKey</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">[</span><span class="dl">'</span><span class="s1">x-api-key</span><span class="dl">'</span><span class="p">];</span> <span class="k">return</span> <span class="nx">apiKey</span> <span class="o">===</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">INTERNAL_SERVICE_KEY</span><span class="p">;</span> <span class="p">}</span> <span class="p">});</span> <span class="c1">// Applied selectively to route groups</span> <span class="c1">// In routes/auth.routes.ts:</span> <span class="c1">// router.post('/login', authLimiter, loginController);</span> <span class="c1">// </span> <span class="c1">// In routes/users.routes.ts:</span> <span class="c1">// router.get('/users', queryLimiter, getUsersController);</span> <span class="c1">// router.post('/users', mutationLimiter, createUserController);</span> </code></pre> </div> <p><strong>Still has issues:</strong></p> <ul> <li>Using in-memory store (doesn't work in multi-server setup)</li> <li>Environment variable check is not secure</li> <li>No monitoring/alerting when limits are hit</li> </ul> <h3> Production Version (Actually Deployed) </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// api/middleware/rate-limit.ts</span> <span class="c1">// Version: 3.0 - Production Ready</span> <span class="c1">// Updated: 2024-01-18</span> <span class="c1">// Changes: Added Redis store, proper monitoring, better error handling</span> <span class="c1">// Related: JIRA-1234 (Security audit findings)</span> <span class="k">import</span> <span class="nx">rateLimit</span><span class="p">,</span> <span class="p">{</span> <span class="nx">Options</span><span class="p">,</span> <span class="nx">Store</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">express-rate-limit</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="nx">RedisStore</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">rate-limit-redis</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Request</span><span class="p">,</span> <span class="nx">Response</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">express</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">createClient</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">redis</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">logger</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../utils/logger</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">metricsClient</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../monitoring/metrics</span><span class="dl">'</span><span class="p">;</span> <span class="c1">// Redis client for rate limit storage</span> <span class="c1">// Shared across all app instances - critical for multi-server setup</span> <span class="kd">const</span> <span class="nx">redisClient</span> <span class="o">=</span> <span class="nf">createClient</span><span class="p">({</span> <span class="na">url</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">REDIS_URL</span> <span class="o">||</span> <span class="dl">'</span><span class="s1">redis://localhost:6379</span><span class="dl">'</span><span class="p">,</span> <span class="na">password</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">REDIS_PASSWORD</span><span class="p">,</span> <span class="na">socket</span><span class="p">:</span> <span class="p">{</span> <span class="na">reconnectStrategy</span><span class="p">:</span> <span class="p">(</span><span class="nx">retries</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">retries</span> <span class="o">&gt;</span> <span class="mi">10</span><span class="p">)</span> <span class="p">{</span> <span class="nx">logger</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Redis connection failed after 10 retries</span><span class="dl">'</span><span class="p">);</span> <span class="k">return</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Redis connection failed</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="nb">Math</span><span class="p">.</span><span class="nf">min</span><span class="p">(</span><span class="nx">retries</span> <span class="o">*</span> <span class="mi">100</span><span class="p">,</span> <span class="mi">3000</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="p">});</span> <span class="nx">redisClient</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">error</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">logger</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Redis client error</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">error</span><span class="p">:</span> <span class="nx">err</span><span class="p">.</span><span class="nx">message</span><span class="p">,</span> <span class="na">stack</span><span class="p">:</span> <span class="nx">err</span><span class="p">.</span><span class="nx">stack</span> <span class="p">});</span> <span class="c1">// Alert ops team - rate limiting will fall back to memory</span> <span class="nx">metricsClient</span><span class="p">.</span><span class="nf">increment</span><span class="p">(</span><span class="dl">'</span><span class="s1">rate_limit.redis.error</span><span class="dl">'</span><span class="p">);</span> <span class="p">});</span> <span class="nx">redisClient</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">connect</span><span class="dl">'</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="dl">'</span><span class="s1">Redis client connected for rate limiting</span><span class="dl">'</span><span class="p">);</span> <span class="p">});</span> <span class="c1">// Initialize Redis connection</span> <span class="p">(</span><span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="k">await</span> <span class="nx">redisClient</span><span class="p">.</span><span class="nf">connect</span><span class="p">();</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="nx">logger</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Failed to connect to Redis</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="nx">error</span> <span class="p">});</span> <span class="c1">// App continues but rate limiting will be less effective</span> <span class="p">}</span> <span class="p">})();</span> <span class="cm">/** * Extract client IP from request, handling proxy scenarios * Our infrastructure: Cloudflare -&gt; ALB -&gt; App servers */</span> <span class="kd">function</span> <span class="nf">getClientIp</span><span class="p">(</span><span class="nx">req</span><span class="p">:</span> <span class="nx">Request</span><span class="p">):</span> <span class="kr">string</span> <span class="p">{</span> <span class="c1">// Cloudflare sets CF-Connecting-IP header with original client IP</span> <span class="kd">const</span> <span class="nx">cfIp</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">[</span><span class="dl">'</span><span class="s1">cf-connecting-ip</span><span class="dl">'</span><span class="p">];</span> <span class="k">if </span><span class="p">(</span><span class="k">typeof</span> <span class="nx">cfIp</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">string</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">cfIp</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// Fallback to X-Forwarded-For</span> <span class="kd">const</span> <span class="nx">forwardedFor</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">[</span><span class="dl">'</span><span class="s1">x-forwarded-for</span><span class="dl">'</span><span class="p">];</span> <span class="k">if </span><span class="p">(</span><span class="k">typeof</span> <span class="nx">forwardedFor</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">string</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">ips</span> <span class="o">=</span> <span class="nx">forwardedFor</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="dl">'</span><span class="s1">,</span><span class="dl">'</span><span class="p">).</span><span class="nf">map</span><span class="p">(</span><span class="nx">ip</span> <span class="o">=&gt;</span> <span class="nx">ip</span><span class="p">.</span><span class="nf">trim</span><span class="p">());</span> <span class="c1">// First IP is the original client (before proxies)</span> <span class="k">return</span> <span class="nx">ips</span><span class="p">[</span><span class="mi">0</span><span class="p">];</span> <span class="p">}</span> <span class="c1">// Last resort - direct connection IP</span> <span class="k">return</span> <span class="nx">req</span><span class="p">.</span><span class="nx">ip</span> <span class="o">||</span> <span class="nx">req</span><span class="p">.</span><span class="nx">socket</span><span class="p">.</span><span class="nx">remoteAddress</span> <span class="o">||</span> <span class="dl">'</span><span class="s1">unknown</span><span class="dl">'</span><span class="p">;</span> <span class="p">}</span> <span class="cm">/** * Check if request should bypass rate limiting * Used for: internal services, monitoring, health checks */</span> <span class="kd">function</span> <span class="nf">shouldSkipRateLimit</span><span class="p">(</span><span class="nx">req</span><span class="p">:</span> <span class="nx">Request</span><span class="p">):</span> <span class="nx">boolean</span> <span class="p">{</span> <span class="c1">// Health checks from load balancer</span> <span class="k">if </span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">path</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">/health</span><span class="dl">'</span> <span class="o">||</span> <span class="nx">req</span><span class="p">.</span><span class="nx">path</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">/metrics</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="kc">true</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// Internal service authentication</span> <span class="c1">// Uses bcrypt-hashed tokens stored in environment</span> <span class="kd">const</span> <span class="nx">apiKey</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">[</span><span class="dl">'</span><span class="s1">x-api-key</span><span class="dl">'</span><span class="p">];</span> <span class="k">if </span><span class="p">(</span><span class="k">typeof</span> <span class="nx">apiKey</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">string</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">validKeys</span> <span class="o">=</span> <span class="p">(</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">INTERNAL_API_KEYS</span> <span class="o">||</span> <span class="dl">''</span><span class="p">).</span><span class="nf">split</span><span class="p">(</span><span class="dl">'</span><span class="s1">,</span><span class="dl">'</span><span class="p">);</span> <span class="k">return</span> <span class="nx">validKeys</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="nx">apiKey</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// Authenticated admin users get higher limits (handled separately)</span> <span class="c1">// Just skip the base rate limit</span> <span class="k">if </span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">user</span><span class="p">?.</span><span class="nx">role</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">admin</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="kc">true</span><span class="p">;</span> <span class="p">}</span> <span class="k">return</span> <span class="kc">false</span><span class="p">;</span> <span class="p">}</span> <span class="cm">/** * Custom handler when rate limit is exceeded * Logs incidents for monitoring and alerts */</span> <span class="kd">function</span> <span class="nf">rateLimitExceededHandler</span><span class="p">(</span> <span class="nx">req</span><span class="p">:</span> <span class="nx">Request</span><span class="p">,</span> <span class="nx">res</span><span class="p">:</span> <span class="nx">Response</span><span class="p">,</span> <span class="nx">next</span><span class="p">:</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="k">void</span><span class="p">,</span> <span class="nx">options</span><span class="p">:</span> <span class="nx">Options</span> <span class="p">):</span> <span class="k">void</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">clientIp</span> <span class="o">=</span> <span class="nf">getClientIp</span><span class="p">(</span><span class="nx">req</span><span class="p">);</span> <span class="c1">// Log rate limit violation for security monitoring</span> <span class="nx">logger</span><span class="p">.</span><span class="nf">warn</span><span class="p">(</span><span class="dl">'</span><span class="s1">Rate limit exceeded</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">ip</span><span class="p">:</span> <span class="nx">clientIp</span><span class="p">,</span> <span class="na">path</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">path</span><span class="p">,</span> <span class="na">method</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">method</span><span class="p">,</span> <span class="na">userAgent</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">[</span><span class="dl">'</span><span class="s1">user-agent</span><span class="dl">'</span><span class="p">],</span> <span class="na">userId</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">user</span><span class="p">?.</span><span class="nx">id</span> <span class="o">||</span> <span class="kc">null</span><span class="p">,</span> <span class="na">limitType</span><span class="p">:</span> <span class="nx">options</span><span class="p">.</span><span class="nx">windowMs</span> <span class="p">?</span> <span class="s2">`</span><span class="p">${</span><span class="nx">options</span><span class="p">.</span><span class="nx">max</span><span class="p">}</span><span class="s2">/</span><span class="p">${</span><span class="nx">options</span><span class="p">.</span><span class="nx">windowMs</span><span class="p">}</span><span class="s2">ms`</span> <span class="p">:</span> <span class="dl">'</span><span class="s1">unknown</span><span class="dl">'</span> <span class="p">});</span> <span class="c1">// Increment metrics for monitoring dashboard</span> <span class="nx">metricsClient</span><span class="p">.</span><span class="nf">increment</span><span class="p">(</span><span class="dl">'</span><span class="s1">rate_limit.exceeded</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">path</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">path</span><span class="p">,</span> <span class="na">method</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">method</span> <span class="p">});</span> <span class="c1">// Check if this IP is repeatedly hitting limits (possible attack)</span> <span class="kd">const</span> <span class="nx">violationKey</span> <span class="o">=</span> <span class="s2">`rate_limit_violations:</span><span class="p">${</span><span class="nx">clientIp</span><span class="p">}</span><span class="s2">`</span><span class="p">;</span> <span class="nx">redisClient</span><span class="p">.</span><span class="nf">incr</span><span class="p">(</span><span class="nx">violationKey</span><span class="p">).</span><span class="nf">then</span><span class="p">((</span><span class="nx">violations</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">violations</span> <span class="o">&gt;</span> <span class="mi">10</span><span class="p">)</span> <span class="p">{</span> <span class="nx">logger</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Possible attack detected - repeated rate limit violations</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">ip</span><span class="p">:</span> <span class="nx">clientIp</span><span class="p">,</span> <span class="nx">violations</span><span class="p">,</span> <span class="na">timeWindow</span><span class="p">:</span> <span class="dl">'</span><span class="s1">1 hour</span><span class="dl">'</span> <span class="p">});</span> <span class="c1">// TODO: Auto-block IPs after threshold (requires approval from security team)</span> <span class="nx">metricsClient</span><span class="p">.</span><span class="nf">increment</span><span class="p">(</span><span class="dl">'</span><span class="s1">security.possible_attack_detected</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="p">}).</span><span class="k">catch</span><span class="p">(</span><span class="nx">err</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">logger</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Failed to track rate limit violations</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">error</span><span class="p">:</span> <span class="nx">err</span><span class="p">.</span><span class="nx">message</span> <span class="p">});</span> <span class="p">});</span> <span class="c1">// Set violation counter to expire after 1 hour</span> <span class="nx">redisClient</span><span class="p">.</span><span class="nf">expire</span><span class="p">(</span><span class="nx">violationKey</span><span class="p">,</span> <span class="mi">3600</span><span class="p">);</span> <span class="c1">// Return error response with retry information</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">429</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Too many requests</span><span class="dl">'</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="nx">options</span><span class="p">.</span><span class="nx">message</span> <span class="o">||</span> <span class="dl">'</span><span class="s1">You have exceeded the rate limit</span><span class="dl">'</span><span class="p">,</span> <span class="na">retryAfter</span><span class="p">:</span> <span class="nx">res</span><span class="p">.</span><span class="nf">getHeader</span><span class="p">(</span><span class="dl">'</span><span class="s1">Retry-After</span><span class="dl">'</span><span class="p">),</span> <span class="c1">// Help developers debug</span> <span class="na">limit</span><span class="p">:</span> <span class="nx">options</span><span class="p">.</span><span class="nx">max</span><span class="p">,</span> <span class="na">windowMs</span><span class="p">:</span> <span class="nx">options</span><span class="p">.</span><span class="nx">windowMs</span> <span class="p">});</span> <span class="p">}</span> <span class="c1">// Rate limit configurations for different endpoint categories</span> <span class="kr">interface</span> <span class="nx">RateLimitConfig</span> <span class="kd">extends</span> <span class="nb">Partial</span><span class="o">&lt;</span><span class="nx">Options</span><span class="o">&gt;</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">description</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">rateLimitConfigs</span><span class="p">:</span> <span class="nb">Record</span><span class="o">&lt;</span><span class="kr">string</span><span class="p">,</span> <span class="nx">RateLimitConfig</span><span class="o">&gt;</span> <span class="o">=</span> <span class="p">{</span> <span class="c1">// Strictest limits for authentication endpoints</span> <span class="c1">// Prevents brute force attacks on login</span> <span class="na">auth</span><span class="p">:</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">auth</span><span class="dl">'</span><span class="p">,</span> <span class="na">description</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Authentication endpoints (login, register, password reset)</span><span class="dl">'</span><span class="p">,</span> <span class="na">windowMs</span><span class="p">:</span> <span class="mi">15</span> <span class="o">*</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">1000</span><span class="p">,</span> <span class="c1">// 15 minutes</span> <span class="na">max</span><span class="p">:</span> <span class="mi">5</span><span class="p">,</span> <span class="c1">// Only 5 attempts per 15 minutes</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Too many authentication attempts. Please try again later.</span><span class="dl">'</span><span class="p">,</span> <span class="na">standardHeaders</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">legacyHeaders</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">store</span><span class="p">:</span> <span class="k">new</span> <span class="nc">RedisStore</span><span class="p">({</span> <span class="na">client</span><span class="p">:</span> <span class="nx">redisClient</span><span class="p">,</span> <span class="na">prefix</span><span class="p">:</span> <span class="dl">'</span><span class="s1">rl:auth:</span><span class="dl">'</span><span class="p">,</span> <span class="p">}),</span> <span class="p">},</span> <span class="c1">// Moderate limits for data modification</span> <span class="c1">// Prevents spam and abuse while allowing legitimate use</span> <span class="na">mutation</span><span class="p">:</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">mutation</span><span class="dl">'</span><span class="p">,</span> <span class="na">description</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Data modification endpoints (POST, PUT, DELETE)</span><span class="dl">'</span><span class="p">,</span> <span class="na">windowMs</span><span class="p">:</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">1000</span><span class="p">,</span> <span class="c1">// 1 minute</span> <span class="na">max</span><span class="p">:</span> <span class="mi">30</span><span class="p">,</span> <span class="c1">// 30 mutations per minute</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Too many requests. Please slow down.</span><span class="dl">'</span><span class="p">,</span> <span class="na">standardHeaders</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">legacyHeaders</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">store</span><span class="p">:</span> <span class="k">new</span> <span class="nc">RedisStore</span><span class="p">({</span> <span class="na">client</span><span class="p">:</span> <span class="nx">redisClient</span><span class="p">,</span> <span class="na">prefix</span><span class="p">:</span> <span class="dl">'</span><span class="s1">rl:mutation:</span><span class="dl">'</span><span class="p">,</span> <span class="p">}),</span> <span class="p">},</span> <span class="c1">// Relaxed limits for read operations</span> <span class="c1">// Allows dashboards and monitoring to function normally</span> <span class="na">query</span><span class="p">:</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">query</span><span class="dl">'</span><span class="p">,</span> <span class="na">description</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Read-only endpoints (GET)</span><span class="dl">'</span><span class="p">,</span> <span class="na">windowMs</span><span class="p">:</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">1000</span><span class="p">,</span> <span class="c1">// 1 minute</span> <span class="na">max</span><span class="p">:</span> <span class="mi">100</span><span class="p">,</span> <span class="c1">// 100 queries per minute</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Too many requests. Please slow down.</span><span class="dl">'</span><span class="p">,</span> <span class="na">standardHeaders</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">legacyHeaders</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">store</span><span class="p">:</span> <span class="k">new</span> <span class="nc">RedisStore</span><span class="p">({</span> <span class="na">client</span><span class="p">:</span> <span class="nx">redisClient</span><span class="p">,</span> <span class="na">prefix</span><span class="p">:</span> <span class="dl">'</span><span class="s1">rl:query:</span><span class="dl">'</span><span class="p">,</span> <span class="p">}),</span> <span class="p">},</span> <span class="c1">// Special category for expensive operations</span> <span class="c1">// Example: PDF generation, bulk exports</span> <span class="na">expensive</span><span class="p">:</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">expensive</span><span class="dl">'</span><span class="p">,</span> <span class="na">description</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Resource-intensive operations</span><span class="dl">'</span><span class="p">,</span> <span class="na">windowMs</span><span class="p">:</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">1000</span><span class="p">,</span> <span class="c1">// 1 hour</span> <span class="na">max</span><span class="p">:</span> <span class="mi">10</span><span class="p">,</span> <span class="c1">// Only 10 per hour</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">This operation is rate limited. Please try again later.</span><span class="dl">'</span><span class="p">,</span> <span class="na">standardHeaders</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">legacyHeaders</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">store</span><span class="p">:</span> <span class="k">new</span> <span class="nc">RedisStore</span><span class="p">({</span> <span class="na">client</span><span class="p">:</span> <span class="nx">redisClient</span><span class="p">,</span> <span class="na">prefix</span><span class="p">:</span> <span class="dl">'</span><span class="s1">rl:expensive:</span><span class="dl">'</span><span class="p">,</span> <span class="p">}),</span> <span class="p">}</span> <span class="p">};</span> <span class="c1">// Create rate limiter middleware for each category</span> <span class="kd">function</span> <span class="nf">createRateLimiter</span><span class="p">(</span><span class="nx">config</span><span class="p">:</span> <span class="nx">RateLimitConfig</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">rateLimit</span><span class="p">({</span> <span class="p">...</span><span class="nx">config</span><span class="p">,</span> <span class="na">keyGenerator</span><span class="p">:</span> <span class="nx">getClientIp</span><span class="p">,</span> <span class="na">skip</span><span class="p">:</span> <span class="nx">shouldSkipRateLimit</span><span class="p">,</span> <span class="na">handler</span><span class="p">:</span> <span class="nx">rateLimitExceededHandler</span><span class="p">,</span> <span class="c1">// Fail open if Redis is down - log error but allow request</span> <span class="na">skipFailedRequests</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">skipSuccessfulRequests</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="p">});</span> <span class="p">}</span> <span class="c1">// Export configured rate limiters</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">authLimiter</span> <span class="o">=</span> <span class="nf">createRateLimiter</span><span class="p">(</span><span class="nx">rateLimitConfigs</span><span class="p">.</span><span class="nx">auth</span><span class="p">);</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">mutationLimiter</span> <span class="o">=</span> <span class="nf">createRateLimiter</span><span class="p">(</span><span class="nx">rateLimitConfigs</span><span class="p">.</span><span class="nx">mutation</span><span class="p">);</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">queryLimiter</span> <span class="o">=</span> <span class="nf">createRateLimiter</span><span class="p">(</span><span class="nx">rateLimitConfigs</span><span class="p">.</span><span class="nx">query</span><span class="p">);</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">expensiveLimiter</span> <span class="o">=</span> <span class="nf">createRateLimiter</span><span class="p">(</span><span class="nx">rateLimitConfigs</span><span class="p">.</span><span class="nx">expensive</span><span class="p">);</span> <span class="c1">// Cleanup on app shutdown</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">cleanupRateLimiting</span><span class="p">():</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="k">void</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="k">await</span> <span class="nx">redisClient</span><span class="p">.</span><span class="nf">quit</span><span class="p">();</span> <span class="nx">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="dl">'</span><span class="s1">Rate limiting Redis client disconnected</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="nx">logger</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Error disconnecting rate limiting Redis client</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="nx">error</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// Usage examples:</span> <span class="c1">// </span> <span class="c1">// In routes/auth.routes.ts:</span> <span class="c1">// router.post('/login', authLimiter, loginController);</span> <span class="c1">// router.post('/register', authLimiter, registerController);</span> <span class="c1">// router.post('/reset-password', authLimiter, resetPasswordController);</span> <span class="c1">//</span> <span class="c1">// In routes/users.routes.ts:</span> <span class="c1">// router.get('/users', queryLimiter, getUsersController);</span> <span class="c1">// router.post('/users', mutationLimiter, createUserController);</span> <span class="c1">// router.delete('/users/:id', mutationLimiter, deleteUserController);</span> <span class="c1">//</span> <span class="c1">// In routes/reports.routes.ts:</span> <span class="c1">// router.post('/reports/export', expensiveLimiter, exportReportController);</span> </code></pre> </div> <p><strong>Companion configuration file:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// .env.example</span> <span class="err">#</span> <span class="nx">Add</span> <span class="nx">these</span> <span class="nx">to</span> <span class="nx">your</span> <span class="nx">actual</span> <span class="p">.</span><span class="nx">env</span> <span class="nx">file</span> <span class="err">#</span> <span class="nx">Redis</span> <span class="nc">Configuration </span><span class="p">(</span><span class="nb">Required</span> <span class="k">for</span> <span class="nx">rate</span> <span class="nx">limiting</span> <span class="k">in</span> <span class="nx">production</span><span class="p">)</span> <span class="nx">REDIS_URL</span><span class="o">=</span><span class="nx">redis</span><span class="p">:</span><span class="c1">//localhost:6379</span> <span class="nx">REDIS_PASSWORD</span><span class="o">=</span><span class="nx">your</span><span class="o">-</span><span class="nx">secure</span><span class="o">-</span><span class="nx">password</span><span class="o">-</span><span class="nx">here</span> <span class="err">#</span> <span class="nx">Internal</span> <span class="nx">API</span> <span class="nc">Keys </span><span class="p">(</span><span class="nx">comma</span><span class="o">-</span><span class="nx">separated</span><span class="p">,</span> <span class="nx">bcrypt</span> <span class="nx">hashed</span><span class="p">)</span> <span class="err">#</span> <span class="nx">Generate</span> <span class="kd">with</span><span class="p">:</span> <span class="nx">bcrypt</span><span class="p">.</span><span class="nf">hash</span><span class="p">(</span><span class="dl">'</span><span class="s1">your-key</span><span class="dl">'</span><span class="p">,</span> <span class="mi">10</span><span class="p">)</span> <span class="nx">INTERNAL_API_KEYS</span><span class="o">=</span><span class="nx">$2b$10$</span><span class="p">...</span><span class="nx">hash1</span><span class="p">...,</span><span class="nx">$2b$10$</span><span class="p">...</span><span class="nx">hash2</span><span class="p">...</span> <span class="err">#</span> <span class="nc">Monitoring </span><span class="p">(</span><span class="nx">Optional</span> <span class="nx">but</span> <span class="nx">recommended</span><span class="p">)</span> <span class="nx">METRICS_ENABLED</span><span class="o">=</span><span class="kc">true</span> <span class="nx">METRICS_HOST</span><span class="o">=</span><span class="nx">statsd</span><span class="p">.</span><span class="nx">internal</span><span class="p">:</span><span class="mi">8125</span> </code></pre> </div> <p>This is what production-quality code actually looks like - evolved through multiple iterations, with real comments explaining decisions, proper error handling, monitoring, and all the edge cases you discover when code hits production.</p> cursor github githubcopilot